How to use OAuth authentication in ServiceNow Inbound REST Calls?

Go to solution
rahulyamgar
Tera Guru

‎07-22-2020 06:08 PM

Hello Friends,

Today, one of my friend who was exploring the OAuth configuration in ServiceNow asked me -

1.If we need to send the username and password in grant_type=password requests, to get the access token and refresh token, how is it different than using the Basic Authentication?

2. If we used grant_type=password mechanism, how can we ensure that sender/client is using the refresh token to generate the access token and not the username & password to get the access token ?

3. What is the common/best practice in  implementing the OAuth - To provide user name and password to client to generate access token or ServiceNow administrator can generate the access and refresh token and provide the same to the Client?

@Aman Reddy Gurram (As you have already authored an article around the same) @Ankur Bawiskar (Based on your Community Video on OAuth) 

Thanks,
Rahul 

Labels:
0 Helpfuls
  • 4,860 Views
1 ACCEPTED SOLUTION

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎07-23-2020 05:31 AM

@rahulyamgar 

Please find the responses below

1.If we need to send the username and password in grant_type=password requests, to get the access token and refresh token, how is it different than using the Basic Authentication?

- There are few benefits of OAuth over Basic Auth

  • Using OAuth 2.0 username & password is being limited number of times
  • Access tokens are revoked after particular amount of time i.e. lifespan so they are harder to re-use
  • Widely used by most of the 3rd party applications

2. If we used grant_type=password mechanism, how can we ensure that sender/client is using the refresh token to generate the access token and not the username & password to get the access token ?

- Once Access Token is expired and Refresh Token is still valid you should use Refresh Token to generate fresh Access Token using grant_type=refresh_token. This ensures you need not send the username and password again.

- But this doesn't stop the 3rd party from using the grant_type=password again to generate the Access Token. if the Refresh token is still valid then they will get the same refresh token but new access token if access token is expired.

- Getting the very 1st Access Token will always require the username and password that is how OAuth is defined for grant_type=password flow

3. What is the common/best practice in  implementing the OAuth - To provide user name and password to client to generate access token or ServiceNow administrator can generate the access and refresh token and provide the same to the Client?

- The Access Token and Refresh Token should be generated by 3rd party only. If you keep a system admin who does this job then that doesn't hold a valid scenario as OAuth flow should happen between 2 systems/applications without manual intervention. Though this can be done should be avoided

Hope this helps

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

View solution in original post

10 REPLIES 10

Go to solution
SW7
Giga Guru

‎07-23-2020 05:08 AM

Hi Rahul,

To answer your question, please see the answers below after performing such integrations.

 

1. The user credentials are used only once to establish the connection to another system, following the connection being established the system then performs token exchanges (bearer Token there after)

2. The HTTP outbound log will display outbound messages, but for checking what the client sends the node logs will show the information 

3. The administrator will provide the Client Secret, Client ID, along with the Rest User account (User Account) details to the other party.

 

Kind regards

Steve  

 

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎07-23-2020 05:31 AM

@rahulyamgar 

Please find the responses below

1.If we need to send the username and password in grant_type=password requests, to get the access token and refresh token, how is it different than using the Basic Authentication?

- There are few benefits of OAuth over Basic Auth

  • Using OAuth 2.0 username & password is being limited number of times
  • Access tokens are revoked after particular amount of time i.e. lifespan so they are harder to re-use
  • Widely used by most of the 3rd party applications

2. If we used grant_type=password mechanism, how can we ensure that sender/client is using the refresh token to generate the access token and not the username & password to get the access token ?

- Once Access Token is expired and Refresh Token is still valid you should use Refresh Token to generate fresh Access Token using grant_type=refresh_token. This ensures you need not send the username and password again.

- But this doesn't stop the 3rd party from using the grant_type=password again to generate the Access Token. if the Refresh token is still valid then they will get the same refresh token but new access token if access token is expired.

- Getting the very 1st Access Token will always require the username and password that is how OAuth is defined for grant_type=password flow

3. What is the common/best practice in  implementing the OAuth - To provide user name and password to client to generate access token or ServiceNow administrator can generate the access and refresh token and provide the same to the Client?

- The Access Token and Refresh Token should be generated by 3rd party only. If you keep a system admin who does this job then that doesn't hold a valid scenario as OAuth flow should happen between 2 systems/applications without manual intervention. Though this can be done should be avoided

Hope this helps

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

Go to solution
Neha Agarwal
Giga Expert
In response to Ankur Bawiskar

‎05-18-2021 07:32 AM

Hi @Ankur Bawiskar  We have multiple 3rd party integrations to be configured, what is the best practice to use oAuth configuration? Do we configure one oAuth for all 3rd party configuration or one oAuth for each one.

Thanks, Neha

0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to Neha Agarwal

‎05-19-2021 12:14 AM

Hi,

Yes I have seen multiple OAuth entries per integration so that there is no dependency between them.

Because different integration might require different OAuth Access + Refresh token lifespan

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader